arno/clair
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

updater: Set vulns' Severity from NVD metadata fetcher if unknown

Browse Source 
If a Vulnerability that goes through the NVD metadata fetcher has an
empty or Unknown Severity, then use the CVSS score to set one. This
will help to get a more consistent database when a vulnerability source
does not provide this information.
This commit is contained in:
Quentin Machu 2016-11-18 18:08:22 +01:00
parent 1c3daa23b9
commit 96398465de
1 changed files with 28 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
updater/metadata_fetchers/nvd/nvd.go
View File

@ -18,6 +18,7 @@ import (
"github.com/coreos/clair/database" "github.com/coreos/clair/database"
"github.com/coreos/clair/updater" "github.com/coreos/clair/updater"
cerrors "github.com/coreos/clair/utils/errors" cerrors "github.com/coreos/clair/utils/errors"
"github.com/coreos/clair/utils/types"
"github.com/coreos/pkg/capnslog" "github.com/coreos/pkg/capnslog"
) )
@ -106,13 +107,17 @@ func (fetcher *NVDMetadataFetcher) AddMetadata(vulnerability *updater.Vulnerabil
if nvdMetadata, ok := fetcher.metadata[vulnerability.Name]; ok { if nvdMetadata, ok := fetcher.metadata[vulnerability.Name]; ok {
vulnerability.Lock.Lock() vulnerability.Lock.Lock()
// Create Metadata map if necessary. // Create Metadata map if necessary and assign the NVD metadata.
if vulnerability.Metadata == nil { if vulnerability.Metadata == nil {
vulnerability.Metadata = make(map[string]interface{}) vulnerability.Metadata = make(map[string]interface{})
} }
vulnerability.Metadata[metadataKey] = nvdMetadata vulnerability.Metadata[metadataKey] = nvdMetadata
// Set the Severity using the CVSSv2 Score if none is set yet.
if vulnerability.Severity == "" || vulnerability.Severity == types.Unknown {
vulnerability.Severity = scoreToPriority(nvdMetadata.CVSSv2.Score)
}
vulnerability.Lock.Unlock() vulnerability.Lock.Unlock()
} }
@ -225,3 +230,24 @@ func getHashFromMetaURL(metaURL string) (string, error) {
return "", errors.New("invalid .meta file format") return "", errors.New("invalid .meta file format")
} }
// scoreToPriority converts the CVSS Score (0.0 - 10.0) into user-friendy
// types.Priority following the qualitative rating scale available in the
// CVSS v3.0 specification (https://www.first.org/cvss/specification-document),
// Table 14. The Negligible level is set for CVSS scores between [0, 1),
// replacing the specified None level, originally used for a score of 0.
func scoreToPriority(score float64) types.Priority {
switch {
case score < 1.0:
return types.Negligible
case score < 3.9:
return types.Low
case score < 6.9:
return types.Medium
case score < 8.9:
return types.High
case score <= 10:
return types.Critical
}
return types.Unknown
}